Information systems security: Management success factors

Even if an organization has the best technical computer security talent and the most dedicated staff, it may still have an ineffective systems security function. This situation is frequently encountered and is caused by too much emphasis on the technical aspects and too little attention to the managerial aspects of systems security. Many of us in the systems security field immerse ourselves in fascinating technical details at the expense of the managerial issues essential to the success of a systems security effort. This article-discusses the managerial perspectives with which an appropriate balance between the managerial and the technical may be struck. Although each organization has its idiosyncrasies, experience has shown that a number of common approaches to managing an information systems security function are both effective and prudent. While there exists no standard template with which one can design a systems security function, this article illuminates some tried-and-true methods associated with organizational design, raising the level of management awareness, and obtaining needed resources. This article is based partly on a panel discussion for which the author was the moderator, an informal poll of San Francisco bay area systems security administrators and EDP auditors, and the author's information systems security consulting experience.